Quantum cryptography as a retrodiction problem 
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We propose a quantum key distribution protocol based on a quantum retrodiction protocol, known 
as the Mean King problem. The protocol uses a two way quantum channel. We show security 
against coherent attacks in a transmission error free scenario, even if Eve is allowed to attack both 
transmissions. This establishes a connection between retrodiction and key distribution. 



INTRODUCTION 

Quantum key distribution (qkd) protocols allow two 
parties, traditionally called Alice and Bob, to generate a 
secret key, which enables them to communicate secretly 
via onetime pad encryption. There are qkd protocols, 
that guarantee the security of the key against an eaves- 
dropper, who is capable of implementing arbitrary quan- 
tum operations (coherent attacks) [T][2]|3]. 

After the execution of a qkd protocol Alice and Bob 
should share an identical and random bit string, which is 
unknown to a potential eavesdropper Eve. If one forgets 
for a moment about the secrecy of the bit string, the goal 
in a qkd protocol is that one of the communicating part- 
ners infers a bit value corresponding to a measurement 
outcome obtained or a state prepared by the other. In an 
optimal protocol one would request that this is possible 
in every run of the protocol. 

A similar problem has been proposed by Vaidman, 
Aharonov and Albert in the context of the retrodiction 
of a measurement result of a spin ^-particle, known as 
the Mean King problem Alice in this setting has to 
guess the outcome of a measurement performed by Bob 
without knowing the measurement bases used. There has 
been a first proposal to use this setup in a quantum cryp- 
tographic context in [6], but a security proof accounting 
for an arbitrary attack on both quantum channels was 
not given. In this paper we show, that there are solutions 
to the Mean King problem, which guarantee the security 
of these measurement results against an eavesdropper in 
a stronger scenario, thus establishing the connection be- 
tween retrodiction and security. In addition the proposed 
protocol generates a bit of raw key in every single run. 

SETTING AND RESULT 
The Mean King retrodiction problem 

The retrodiction problem can be stated as a quan- 
tum game played by two players. One player, Alice, 
wins the game if she can guess a measurement outcome 
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obtained by the other player. Bob. Beforehand both 
of them agree on a Hilbert space of dimension d 
and a set of d -I- 1 orthonormal bases of this Hilbert 
space {$b(i); i= 1, . . . , d, h= 1, . . . , c? -I- 1}. Here <I>f,(i) 
denotes the i-th basis vector of the b-th basis. 

Alice starts the game by preparing a maximally entan- 
gled state Q. S (g) and sends the second system to 
Bob. He performs a projective measurement in a ran- 
domly chosen basis b e {1, . . . ,d + 1}, but keeps this 
choice and his measurement result i secret. After Bob 
has returned the resulting eigenstate of his measurement 
to Alice, she holds the state (conditional on Bob obtain- 
ing i) 

$fc(z) = (l®|$fc(z))($b(z)|)f]. (1) 

After Alice has performed a final measurement {F^} on 
this state, obtaining a classical result x, all quantum in- 
formation is discarded. In the last step Bob reveals his 
choice of basis b and depending on this value and her 
measurement result x, Alice has to guess Bob's measure- 
ment outcome i. We note that the precise form of the 
result X is not important and we might think of it as a 
d + 1-tupel X — {x{l), . . . , x{d + 1)) indicating to Alice 
that she should guess i = x{b) if the basis b was cho- 
sen by Bob. We refer to a; as a guessing function. As 
there are d different possible measurement outcomes for 
each of the d + 1 measurement bases, the set X of pos- 
sible guessing functions has d'^'^^ different elements. A 
successful strategy for Alice consists of a maximally en- 
tangled state and a measurement {F^} such that the 
probability for a wrong guess is zero, which means that 
tr(i^a;|<&h(i))(<i>fc(i)|) = 0, unless x{b) — i and that she can 
make a guess in every round, implying the normalization 
condition J^^x = 1- 

The existence of such a strategy has been studied in 
the case of mutually unbiased bases (MUBs) |31 E]. In |7] 
it has been shown, that for constructing a winning strat- 
egy weaker conditions are sufficient. A set of k bases only 
has to be non-degenerate meaning that the span of the 
projectors |<i>f,(?) )(<&;,(?) | is k{d— 1) + 1 dimensional and 
has to admit a classical model. Here a set of k bases is 
said to admit a classical model, if there exists a probabil- 
ity distribution of k variables, each taking d values, such 
that its marginals equal the probability distributions of 
the joint probabilities Pab{i,j) = ^|(^>6(i) |^>a(j))P for all 
pairs of bases. 



2 



In our scenario with k = d+1, non-degeneracy implies 
also that the projectors span the space of all hermitian 
operators on Jff. Of course, d+1 mutual unbiased bases 
(MUBs) are an example of a set of bases exhibiting this 
properties [3- 

The qkd protocol 

We assume a setting for the Mean King problem, in 
which the set of bases is non-degenerate and Alice has 
a successful strategy, that is maximal in the sense of in- 
corporated measurement projectors (see bellow). In each 
run, there will be n instances of the Mean King problem, 
and we use a vector arrow to indicate n-tuples of choices 
outcomes, etc. It is irrelevant for our analysis, whether 
the steps are carried out sequentially for each instance, 
or for the full block of n instances simultaneously. 

1. Initially, an entangled state /5„ of n pairs is gener- 
ated and distributed to Alice and Bob. This pro- 
cess is vulnerable to attack, but they proceed as if 
Pn = |ri'*")(ri'^"| consists of n copies of the pure 
state used for the Mean king problem. 

2. Bob chooses at random n measurement bases b, 
performs the projective measurement with basis bk 
on the fc"^ particle, obtaining the results ik, and 
sends back the corresponding eigenstate. Alto- 
gether he returns <i>j(5) ~ ®fe=i '^'ifc (^fc)j without 
disclosing i or b. 

3. Alice performs her measurement {Fx} on each of 
the returning particles and the corresponding one 
in her storage, obtaining as a result an n-tuple x of 
guessing functions. 

4. After Alice announces that she finished the last of 
her measurements Bob publishes his choice of bases 
b from which Alice infers i'j, — Xk{bk). 

Since this is a Mean King game between Alice and Bob, 
without Eve's interaction this will produce an identical 
string i' = i oi d-digits. In order to test for the presence 
of an eavesdropper, Alice and Bob will randomly select 
some particles k and check for the agreement i'j, = ik in 
these instances, and accept, if they never find a deviation. 

Security 

The transmission error free scenario for the security 
analysis assumes that Alice and Bob do find agreement 
with probability 1, i.e., that a potential attacker does not 
risk the introduction of any errors at all, and also that 
there are no spontaneous transmission errors. Of course, 
a full analysis would have to allow for errors, so the proof 
of security in this scenario is only a proof of principle. 



In our setting. Eve can interact at different stages. 
First she may provide the initial state, possibly keep- 
ing a system of her own entangled with the distributed 
pairs. Then she may interact with the states that Bob 
returns to Alice in a coherent way and finally making 
a joint measurement on her system. Since we analyse 
whole blocks simultaneously, we even allow choices vio- 
lating time ordering. 

What we show in the next section is that if Eve's ac- 
tions do not interfere with the perfect key agreement, 
which Alice and Bob can test in principle, then her fi- 
nal conclusion will be uncorrelated with the key, i.e., she 
will have learned nothing about it. 

PROOF 

A key notion in the Mean King problem is the idea 
of safe vectors 0. All vectors in the range of a mea- 
surement operator must be safe vectors, if Alice does 
not want to risk a wrong guess. Together with a conve- 
nient normalization, we call rj^ a safe vector for guessing 
function x if 

{rix\Mi)) = 5x(b),^y (2) 

with ^bii) from Eq. ([l]). It is shown in that for a non- 
degenerate choice of bases such a vector exists for every 
guessing function x. 

If Alice chooses a measurement {F^} that incorporates 
all of the projectors p{x)\r]x){rjx\^ p{x) we will call 
her strategy maximal. We will now show, that an opera- 
tor, that possesses all the rjx as eigenvectors has to be a 
multiple of the identity. 

Lemma 1. Let Jif be a Hilbert space of dimension d 
and {<i>b(i)} a set of d + I non-degenerate ONBs and let 
Alice have a maximal successful strategy. If an operator 
E : ® ^ ® ,3^ fulfills Er]x = e^nx for all 
safe vectors rjx solving then Cx = e is constant and 
E = el. 

Proof. At first from X]a;^'(^)l^2;)('7a;| = 1 we can con- 
clude that spanj^jjya;; x S X} = ^ (g) holds. Since 
the number of guessing functions is larger than the 
maximal dimension of (E) M' and there is a safe 
vector r\x for every guessing function [7], we can ask for 
a decomposition of a given safe vector r\x in a set of lin- 
early independent safe vectors {r^y}, with r\x ^ rjy and 
Tlx = '^yVyj such that ay ^ 0, Vy. One possibility is 
to choose the three safe vectors rjujilvjilw, whose guessing 
functions fulfill for two bases b' ,b G {1, . . . , d -I- 1}, b' ^b 
the relations 

x{b') — v{b') = i' ^ j' = u{b') = w{b') 
x{b) — u{b) = i ^ i = v{b) = w{b) 
x{b) =u{b) ^v{b) ^w{b), b^{b,b'}. 
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Then the decomposition is given by rix = rju + rjv — rjw, 
which can be seen by evaluating the defining equation 
|2] for all cases. If , , ?7t) , are eigenvectors of the 
operator E, it follows from the uniqueness of the decom- 
position in linearly independent vectors and 

Et]x = E{riu + rjy- rj^) = e„77„ + e^r]^, ~ e^r;^ (3) 
Eij^ ^ ex{r]u + Vv - Vw) (4) 

that riu,rijj,rit^ belong to the same eigenvalue. 

Now pick two arbitrary safe vectors rj^, Vy with x ^ y, 
which by the assumptions belong to the eigenvalues Cx 
and ty. Since x ^ y there exist 1 ^ m ^ c? + 1 bases 
hk with x{b) ^ y{h). Now choose a sequence of guessing 
functions (2:;)™o with zo(^) = ^i^) V5 and Zi+i(6) = zi{b) 
V6 ^ bi+i and zi+i{hij^i) — y{bi+i) which accounts for 
Zm{b) — y{b). With the paragraph above it follows, that 
e^j — Czi+g for all I and therefore especially Cx — e for all 
guessing functions x since x and y were arbitrary. 

Using that span {rj^} = holds, we can find for 

all g (8) a set of linearly independent {rjx} such 
that = J2x '^xVx with ax Vx. This shows that 
every "if £ Jff (E) is an eigenvector of E and we can 
conclude that E = el. □ 

The key to showing security for blocks of length n is 
to consider these n steps as part of a single instance of 
a Mean King retrodiction game in a larger Hilbert space 
with more bases. By tensoring we get {d+ 1)" measure- 
ment bases — {§'"=1 '^6, Bob's side in d" 
dimensions. The n entangled states Alice sends to Bob 
can be considered as an entangled state on {J^ (g) Jf)'^" 
and apparently a successful strategy is the n times exe- 
cution of her maximal strategy for the single run {Fx} 
obtaining the guessing functions x = {xi, . . . The 
resulting vectors of the form rjg = {^JLi Vx, we will call 
safe product vectors since after rearranging of the tensor 
factors 

n n 
1 = 1 1 = 1 

they satisfy the constraint (|2|. 

Of course the set of product measurement 
bases is no longer non-degenerate, but because 
dim(span]R(|$g(?))($j(?)|)) = d^" holds, they still 
span the space of all hermitian operators on Jf®" 
and the same is true for the set of all safe product 
vectors {r/s}. Prom the single safe vectors rjx, the safe 
product vectors rj^ inherit the decomposition property, 
by applying the property to one of the tensor factors. 
So every safe product vector rjg can be decomposed in 
three linearly independent safe product vectors rjs, r]^ 
and rj^ with rjg = r]s + r]^ — rj^- From this point the 
argumentation for the operator E follows along the same 
line as in the single execution case: Firstly for every 
two different safe product vectors rjg and r/ff we can find 
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FIG. 1: Full coherent attack on the protocol 

a sequence of guessing functions, that via equation ([3} 
ensure the eigenvalues to be equal. Secondly, since the 
span of all safe product vectors generates again J(f(g)J^, 
which is therefore an eigenspace of the operator E to 
one single eigenvalue, i? is a multiple of the identity. We 
get 

Lemma 2. Let {r]g} be the set of all safe product vectors 
for the n-times execution of a retrodiction problem with 
d + I non-degenerate measurement bases {<i>fc(z)} on a 
Hilbert space Jf of dimension d, for which Alice has a 
maximal successful strategy. If E : {J^(E)Jff)'^'^ {J^(E) 
j^-j(g)n j^y^ijiiig jTjf^g — egr]g for all rjg then e = eg for all 
x and E = e\ holds. 

We want to analyze the security of the protocol in a 
transmission-error free scenario for a full coherent attack 
on both quantum channels. That means, that Eve might 
eavesdrop on the communication by replacing the trans- 
mission line from Alice to Bob by an arbitrary quan- 
tum channel U and that her operation V on the feed- 
back channel might be connected to the outcome of this 
transformation via an additional quantum channel. 

As a further generalization we even give the control 
of the source of the maximally entangled state to Eve 
(see FIG. In this scenario we proof that if Alice and 
Bob observe perfect correlations of their data, or, more 
precisely. Eve chooses an operation, that does not cause 
any errors, the resulting key is perfectly secure. 

Lemma [2] shows that the n-time execution of a retro- 
diction game can be viewed as a one time execution of 
retrodiction game on a larger Hilbert space. Because of 
this, we can proof the security of the n times execution 
of the single qudit protocol by proving the security of a 
protocol where Alice and Bob use a d" dimensional maxi- 
mally entangled state initially and the product bases and 
measurements defined in Lemma [H 

Now suppose Eve prepares the state ^ e ,3^ ® M' ® 
S . Using IJm.i = ^T^d elements of the generalized 
Pauli-group of a d-dimensional Hilbert space |8], we can 
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decompose this state in the maximally entangled basis 
on the first two tensor factors and write it as 

m.l,P 

13 

where the operators Um,i have the property to generate 
all basis states of the maximally entangled basis if they 
are applied in turns to the second tensor factor of 
|9]. For the purpose of clarity these Um,i and the Pm,i,i3 
are absorbed into the Ufj. By measuring this state in the 
product bases b and obtaining the result i Bob projects 
it onto the state 

Here we used that {1 ig) U)\n) = ([/'^ (g) holds for 

an Operator U G ^(^) and the maximally entangled 
state |ri) G (g) J^. Eve might implement an arbitrary 
quantum channel V acting on her subsystem and the 
eigenstate of the measurement Bob is sending back to 
Alice. We now analyze the result of this operation: 

^[l%>(%?l] = 

^ (C/J ® Vi)\^j;{i))\ep){^~,mep,\{Uj, gViyg\ei){ei\ 

(5) 

In order to avoid detection, Eve has to restrict her at- 
tack to such quantum channels that do not disturb the 
measurement statistics observed by Alice and Bob. Even 
after Eve has interfered with the quantum systems Alice 
should guess the right measurement outcome if no trans- 
mission errors are taken into account. This means that 
the states received by Alice still respond to the same safe 
vectors rj^ as before so the condition 

n 

1=1 

must be respected for all guessing functions x, bases h and 
measurement results i. Expanding the Kraus operators 
V; in a standard basis 

7,(5,/^,!^ 

inserting this expression in equation ([HJ and tracing out 
Eve's system we obtain the state controlled by Alice be- 
fore her final measurement: 

Ph=Y.^ik\^i^)){hi^)\Etk (6) 

l,k 



where we defined the operators Eik as 

Using ([6} we find that the probability to measure one 
of the safe product vectors rjg for a given tuple of mea- 
surement results i in a certain product bases h is given 
by 

l,k 

From the constraint p{rjg, b, i) — ^j(g) j we can conclude, 

that (?7j|i?/fc|$j^(j)) has to be valid for every I, k, b, i 
and X. The safe product vectors rjg are unique one di- 
mensional projectors and Eki cannot have all the 
as eigenvectors if Eik 7fcil holds. This leads to the 
constraint, that in order to avoid detection, the opera- 
tors Elk corresponding to Eve's attack have to fulfill the 
eigenvalue equations 

E*T].s = ^ikxVs 

for all rjg. With Lemma [2] we can conclude, that the 
operators are of the form Eki = 7^-/1 independent of the 
measurement result x that Alice obtains. 

The state under Eve's control after the transmissions 
is given by: 

P/w=tr^B(l^[|*,-)(%|]) 

= E tr AB{EiM^^(i)){<^>~,(i)\Elk, ® \k){k'\ ® \ei}{ei\ 

Lk,k' 

= E ^k,nk'Ak){k'\ ® \ei){ei\ 

l,k,k' 

Hence pfi^ai independent of Bob's choice of bases b, his 
measurement result i and Alice guessing function x and 
Eve cannot infer any information about the exchanged 
key if she wants to stay undetected. This shows the se- 
curity of the proposed protocol in a transmission-error 
free scenario. 
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